ce76b16f3cf9dae91ccfd2a05cfd906b58b0daf4244b841589f30a62858b47b9

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ced86fecc89bexeexeexeex.exe
Size

36KB
MD5

b6ced86fecc89ba8e2892cdccc4246e1
SHA1

926429817f112750916ae035da1c1782a672a1c1
SHA256

ce76b16f3cf9dae91ccfd2a05cfd906b58b0daf4244b841589f30a62858b47b9
SHA512

b70662c4c9f84cfd0638ccaa2d2cb1adf64b0fcb8955f983bd984b5bc63ace649646ad9ae7f5b211236bd6214f5fe693e5668518d00bef99d4a805356fd53d8e
SSDEEP

384:bgX4uGLLQRcsdeQ7/nQu63Ag7YmecFanrlwfjDUkKDfWf6XT+72kmGYjllM0:bgX4zYcgTEu6QOaryfjqDlC7rYZlM0

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	b6ced86fecc89bexeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
3616	hasfj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3616	4064	b6ced86fecc89bexeexeexeex.exe	85
PID 4064 wrote to memory of 3616	4064	b6ced86fecc89bexeexeexeex.exe	85
PID 4064 wrote to memory of 3616	4064	b6ced86fecc89bexeexeexeex.exe	85

C:\Users\Admin\AppData\Local\Temp\b6ced86fecc89bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b6ced86fecc89bexeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\hasfj.exe
  "C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
  2⤵
  - Executes dropped EXE
  PID:3616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
37KB

MD5
f3437da2ce60f5782a37bae28e89f90f

SHA1
14da8ded322f84d259cfaccc5e85a8c8fb909ea1

SHA256
0ad5c3b4b8c632a766ba19898ce73c5d93b0686bf68889ab70e807a27928820b

SHA512
85b250bd39ac633e4e1f8ce2ebfa4ae9878bb37b5d8251b5c2cf901498e123004bf2afda7c3802b819a755676c035005278c137d35ed67ff1fc8c6d8fca83106

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
37KB

MD5
f3437da2ce60f5782a37bae28e89f90f

SHA1
14da8ded322f84d259cfaccc5e85a8c8fb909ea1

SHA256
0ad5c3b4b8c632a766ba19898ce73c5d93b0686bf68889ab70e807a27928820b

SHA512
85b250bd39ac633e4e1f8ce2ebfa4ae9878bb37b5d8251b5c2cf901498e123004bf2afda7c3802b819a755676c035005278c137d35ed67ff1fc8c6d8fca83106

Download Submit
C:\Users\Admin\AppData\Local\Temp\hasfj.exe

Filesize
37KB

MD5
f3437da2ce60f5782a37bae28e89f90f

SHA1
14da8ded322f84d259cfaccc5e85a8c8fb909ea1

SHA256
0ad5c3b4b8c632a766ba19898ce73c5d93b0686bf68889ab70e807a27928820b

SHA512
85b250bd39ac633e4e1f8ce2ebfa4ae9878bb37b5d8251b5c2cf901498e123004bf2afda7c3802b819a755676c035005278c137d35ed67ff1fc8c6d8fca83106

Download Submit
memory/3616-149-0x0000000002180000-0x0000000002186000-memory.dmp

Filesize
24KB

Download
memory/4064-133-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/4064-134-0x0000000003120000-0x0000000003126000-memory.dmp

Filesize
24KB

Download